Morrisons payroll data breach judgment a ‘wake-up call’ for business

The Court of Appeal has upheld the judgment finding Morrisons vicariously liable for the leak of payroll data by a disgruntled employee, but the supermarket says it will take the case to the Supreme Court.

Legal commentators have said that employers will be panicking in light of today’s “bewildering” judgment. Morrisons said it will appeal to the Supreme Court.

In 2014 Andrew Skelton, an internal auditor at Morrisons posted the names, addresses, bank account details, national insurance numbers and salaries of more than 100,000 employees online. At his criminal trial, he was jailed for eight years.

Last year the High Court ruled that the supermarket was vicariously liable for the data breach and that employees should receive compensation. More than 5,500 claimants are seeking a payout in the case, although there has been no indication that anyone has suffered financially from the leak.

Data protection

Nick McAleenan, partner at JMW Solicitors, which is representing the claimants, said: “[Employees] were obliged to hand over sensitive personal information and had every right to expect it to remain confidential, but a copy was made and it was uploaded to the internet and they were put at risk of fraud, identity theft and a host of other problems. Unsurprisingly, this caused a huge amount of worry, stress and inconvenience.

“The claimants are obviously delighted with the Court of Appeal’s ruling. The judges unanimously and robustly dismissed Morrisons’ legal arguments.”

He added that the judgment was a “wake-up call” for business. “People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information – it’s about protecting people”.

But Susan Hall, intellectual property lawyer at Clarke Willmott, said: “This is a bewildering judgment. The first instance decision was in many respects shocking, with the judge himself acknowledging that Morrisons had done nothing wrong…

“The verdict in the High Court effectively achieved the former employee’s purpose of punishing Morrisons by making them liable for potentially millions of pounds in compensation, through no fault of their own. That it has been upheld by the Court of Appeal will have employers up and down the country panicking as there is very little they can do to guard against a similar situation.”

A Morrisons spokesman said: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of [a] former employee, even though his criminal actions were targeted at the company and our colleagues.

This is a bewildering judgment. The first instance decision was in many respects shocking, with the judge himself acknowledging that Morrisons had done nothing wrong” – Susan Hall, Clarke Willmott

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”

In dismissing the case at the Court of Appeal appeal today, three senior judges said they found Morrisons’ arguments “unconvincing”.

Their judgment read: “Mr Skelton’s nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.”

They acknowledged that corporate system failures or employees’ negligence might lead to a large number of claims against a company for “potentially ruinous amounts” but said that the solution is to insure against such catastrophes.

In last year’s High Court decision, the judge acknowledged that his judgement “may seem to render the court an accessory in furthering [Mr Skelton’s] criminal aims.”

Oz Alashe, CEO of cybersecurity training platform CybSafe said: “It is hard to see what Morrisons could have realistically done to prevent this situation from arising. Nevertheless, the message from today’s ruling is clear: even when a company is the victim of criminal activity from within its own organisation, ultimate responsibility for keeping personal data secure rests on its shoulders.”

5 Responses to Morrisons payroll data breach judgment a ‘wake-up call’ for business

Morrisons did not provide protection for the colleagues before or after, this is a false statement, they gave everyone 6 months Experian credit check for free, this only says if someone has tried to get a loan or credit in your name, does not actually prevent loss

We were told to change our bank accounts and offered 6 months free Experian credit, so they DID NOT protect us before or after the situation, as this would only inform us if someone has already taken out credit in our names

This is an utterly ridiculous judgement from a legal system designed to make work for itself. It will have terrible implications and brings the whole legal system into disrepute.
How can employers be liable for something they cannot protect against. To say “buy insurance” is the language of someone with a very low iq.

Not really – the court is following the well established rules for defining vicarious liability (prove there is a relationship between the two parties and that the actions of one of the parties could reasonably be part of their duties) – Skelton was employed by Morrisons (relationship) and he was an internal auditor, so it was reasonable for him to have access to this data (reasonable use). His actions were criminal, but the liability is vicarious.

Morrisons successfully defended a case a few years back on the same principle – where an employee assaulted a member of the public – they argued that his actions were not reasonably part of his job and the court agreed.